PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise. This issue was fixed in PDF Export Module version 0.7.6.
The vulnerability results from the lack of validation and sanitization of the 'data' parameter value passed to the PDF Export Module. An attacker can inject malicious JavaScript code, which is then processed and executed by the Node.js environment on the server side. This is a classic case of command injection (CWE-78) — an unauthenticated remote user can provide a specially crafted payload without any additional prerequisites.
Successful exploitation of the vulnerability leads to complete server compromise, including the ability to execute arbitrary system commands with Node.js process privileges. An attacker can read system files, install malicious software, or conduct further lateral movement in the network.
The PDF Export Module must be immediately updated to version 0.7.6 or later, in which the RCE vulnerability and file read vulnerability have been removed. Update information is available in the DHTMLX vendor documentation (PDF Export module changelog).
PDF Export Module (DHTMLX component) in versions prior to 0.7.6, used in DHTMLX Gantt and DHTMLX Scheduler products.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XDhtmlx Pdf Export Module
APPDhtmlx< 0.7.6
Related vulnerabilities
Path Traversal w PDF Export Module DHTMLX Gantt i Scheduler
Directory Traversal vulnerability in dhtmlxFileExplorer v.8.4.6 allows a remote attacker to obtain sensitive i...
Local File Inclusion vulnerability in dhtmlxFileExplorer v.8.4.6 allows a remote attacker to obtain sensitive ...
Cross-site scripting (XSS) vulnerability in codebase/spreadsheet.php in the Spreadsheet (dhtmlxSpreadsheet) pl...